ESXi 5.0 and higher maintains a history of all commands entered in the ESXi Shell, whether accessed at the console or via SSH. This shell command history is maintained in the shell.log
file. Within the transcription of commands, the command issuer is identified by the process or world ID. This article describes how to correlate authentication information from the auth.log
file with the history of commands executed in the ESXi Shell.
For more information on the locations of the log files described, see Location of ESXi 5.0 log files (2004201) and Location of log files for VMware products (1021806).
To determine the commands executed in the ESXi Shell, and which user and client issued the request:
auth.log
and shell.log
log files.
appname=login,sshd,shell
less
command.https://ESXiHostnameOrIP/host/auth.log
and https://ESXiHostnameOrIP/host/shell.log
.vifs
command line utility in the vCLI to copy the logs to a client and review the logs.vm-support
log bundle./var/log/auth.log
in a text viewer.2011-08-29T18:01:00Z login[64386]: root login on 'char/tty/1'
2011-08-29T18:01:00Z sshd[12345]: Connection from 10.11.12.13 port 2605
2011-08-29T18:01:00Z sshd[12345]: Accepted keyboard-interactive/pam for root from 10.11.12.13 port 2605 ssh2
2011-08-29T18:01:00Z sshd[64386]: Session opened for 'root' on /dev/char/pty/t0
2011-08-29T18:01:00Z sshd[12345]: Session closed for 'root' on /dev/char/pty/t0
...
2011-08-29T18:35:05Z sshd[12345]: Session closed for 'root' 2
2011-08-29T18:01:00Z sshd[12345]: Connection from 10.11.12.13 port 2605
2011-08-29T18:01:00Z sshd[12345]: Accepted publickey for root from 10.11.12.13 port 2605 ssh2
2011-08-29T18:01:00Z sshd[64386]: Session opened for 'root' on /dev/char/pty/t0
2011-08-29T18:01:00Z sshd[12345]: Session closed for 'root' on /dev/char/pty/t0
...
2011-08-29T18:35:05Z sshd[12345]: Session closed for 'root' 2
root
on August 29th at 18:01 GMT. The SSH methods also include the IP address that the connection was initiated from. The shell session is being handled by world 64386
./var/log/auth.log
file./var/log/shell.log
file in a text viewer.2011-08-29T18:01:01Z shell[64386]: Interactive shell session started
2011-08-29T18:05:02Z shell[64386]: cd /var/log
2011-08-29T18:05:03Z shell[64386]: ls
2011-08-29T18:13:04Z shell[64386]: vmware -v
2011-08-29T18:35:05Z shell[64386]: exit
64386
, they correspond to the authentication session established by user root
as described in Step 3.